|
Our Nuclear Secrets Are... (in)secure?
Mike Hudack, Editor
Just a week or two ago, OSAll reported that Russians were attempting to hack into the Pentagon. The government later attributed these ‘attacks' to users of NMap, but we felt we knew better. Once again, foreign powers are using computers to combat the United States and steal our secrets.
In a recent front page story, the New York Times reported that all work has stopped at US nuclear laboratories until the computer systems can be secured further. It's absolutely astounding and frightening to learn just how lax security was at sites like Los Alamos -- and how easy it would have been to social engineer nuclear secrets.
According to the Times, and a source of our own inside the NSA, there was physical access between classified computers and unsecured ‘outside' systems. Such a physical link would be easily exploitable by even so-called script kiddies trying to steal nuclear secrets.
It appears to us that there must have already been a breach of security -- why else force a work stoppage? According to our NSA source, "none of the data is encrypted, nor is there a physical block between classified systems and outside systems."
Energy Department secretary Bill Richardson says that he's very committed to securing nuclear secrets -- but just how committed is he, and is the agency capable of such security? Such lapses in the past are proof positive that the Energy Department's computer department can't be trusted in its current state.
According to a Congressional aide, "[the Los Alamos computer system] is based on VAX and old UNIX... it's never updated for current exploits." This is alarming -- every time a new sendmail or rlogin exploit comes out, are our nuclear secrets at risk?
An immediate and sweeping audit must be conducted by the Navy Shadow security team to determine just how secure these secrets are. The results of such an audit will be obvious, though... Our predictions are as follows:
- Update all systems with recent exploit fixes
- Disconnect all classified systems from outside networks and provide physical blocks to prevent later reconnection
- Install a full-time auditing staff to check on network traffic
- Install a tripwire-like system to check the checksum of all system files
There has to be accountability now. Right now, the Department of Energy is less secure than the webserver you're viewing this document on. It's very sad -- and very, very frightening. |
